-
Feature Request
-
Resolution: Done
-
Blocker
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
1. Proposed title of this feature request
EC2 Instance Metadata Service (IMDS) version configurability on HCP node pools
2. What is the nature and description of the request?
HCP creates EC2 instances as part of nodepools. The EC2 instances created by default allow AWS EC2 IMDS v1 and v2. There is no ability to enforce EC2 instances to use only IMDSv2 which requires applications running on OpenShift use short-lived tokens.
3. Why does the customer need this? (List the business requirements here)
IMDSv2 is more secure than IMDSv1 because of requirement to use short lived tokens when accessing IMDS endpoint from the instance or an application pod running on the instance.
Customers could override directly in the EC2 but will that work when new nodes are created through autoscaling or auto-healing.
Enterprise environments have IAM or SCP policy that requires instances be created only with IMDSv2. In such environments, it is not possible to create HCP clusters.
Stand-alone OCP has this and HCP is OCP.
4. List any affected packages or components.
HyperShift, OVN
- depends on
-
OCPSTRAT-1531 Introduce API and Customizability for IMDS on HCP for AWS
- New
- is related to
-
HOSTEDCP-929 Allow configuration of IMDSv2/v1 in HyperShift
- Closed